Skip to content

Introduction to SSL Pinning

SSL pinning is a security technique that allows an application to verify the identity of a server it is communicating with by checking the server’s certificate against a list of trusted certificates. This is done by comparing the public key of the certificate with a list of trusted public keys.

homepage-banner

SSL/TLS Pinning, as the name suggests, embeds the SSL/TLS certificate provided by the server into the APP client developed for mobile devices. When the client initiates a request, the legitimacy of the connection is determined by comparing the embedded certificate with the server-side certificate.

1 Overview

In public networks, we are advised to use the secure SSL/TLS communication protocol for communication and to use digital certificates to provide encryption and authentication. In the process of “HTTPS Introduction, Illustration of SSL from Carriage Return to Handshake”, we know that the handshake process still faces the possibility of (MIM man-in-the-middle) attacks because the CA certificate issuing authority also faces the possibility of being hacked, and mobile devices also face the risk of forged embedded certificates.

2 Certificate Pinning Principle

Certificate Pinning and Public Key Pinning provide two locking methods. The title and overview actually describe the Certificate Pinning.

2.1 Certificate Pinning

We need to embed only certificates that accept specified domain names in the APP code and do not accept any certificates corresponding to the CA root certificate embedded in the operating system or browser. Through this authorization method, the uniqueness and security of communication between the mobile APP and the server (such as the API gateway) are guaranteed, so the communication between the mobile APP and the server can be ensured to be absolutely safe. However, CA-issued certificates have validity period problems, so the disadvantage is that the certificate needs to be re-embedded in the APP after renewal.

2.2 Public Key Pinning

Public Key Pinning extracts the public key from the certificate and embeds it in the mobile APP. The legitimacy of the connection is verified by comparing the public key value with the server. When we make certificate keys, the public key can remain unchanged before and after the certificate is renewed (that is, the key pair remains unchanged), so it can avoid certificate validity period problems.

3 Certificate Pinning Fingerprint (Hash)

3.1 Obtain the required certificate for the mobile terminal

If the Certificate Pinning method is adopted, obtain the summary hash of the certificate. Taking “infinisign.com” as an example:

## Read the server-side .cer format certificate online
openssl s_client -connect infinisign.com:443 -showcerts < /dev/null | openssl x509 -outform DER > infinisign.der
## Extract the summary hash of the certificate and view it in base64 format
openssl dgst -sha256 -binary infinisign.der | openssl enc -base64
wLgBEAGmLltnXbK6pzpvPMeOCTKZ0QwrWGem6DkNf6o=

Therefore, “wLgBEAGmLltnXbK6pzpvPMeOCTKZ0QwrWGem6DkNf6o=” is the fingerprint (Hash) information that we are going to lock the certificate with.

3.2 Obtain the required public key for the mobile terminal

If the Public Key Pinning method is adopted, obtain the summary hash of the certificate public key. Taking “infinisign.com” as an example:

## Read the public key of the server-side certificate online
openssl x509 -pubkey -noout -in infinisign.der -inform DER | openssl rsa -outform DER -pubin -in /dev/stdin 2>/dev/null > infinisign.pubkey
## Extract the summary hash of the certificate and view it in base64 format
openssl dgst -sha256 -binary infinisign.pubkey | openssl enc -base64
bAExy9pPp0EnzjAlYn1bsSEGvqYi1shl1OOshfH3XDA=

Therefore, “bAExy9pPp0EnzjAlYn1bsSEGvqYi1shl1OOshfH3XDA=” is the fingerprint (Hash) information that we are going to lock the certificate with.

4 Advantages of SSL Pinning

  1. Enhances Security: One of the most significant benefits of SSL pinning is that it enhances the security of network communications by adding an extra layer of protection against man-in-the-middle attacks. SSL pinning requires a pre-configured certificate or public key, ensuring that the client device only communicates with the intended server and not with an imposter.
  2. Mitigates Certificate-Based Attacks: SSL pinning can prevent certificate-based attacks, where an attacker compromises a certificate authority (CA) or issues fake certificates. By hard-coding the certificate or public key of the intended server, SSL pinning prevents attackers from presenting their own fake certificates and decrypting encrypted traffic.
  3. Improves Performance: Another advantage of SSL pinning is that it can improve application performance. Since SSL pinning eliminates the need for the client device to validate the server’s SSL certificate with trusted CAs, it saves processing time and reduces latency.
  4. Ensures Trust: SSL pinning ensures trust between the client and server by requiring the client device to verify the server’s identity through a trusted certificate or public key.

5 Limitations of SSL Pinning

  1. Complicates Deployment: SSL pinning complicates deployment and maintenance, which is one of its main drawbacks. To implement SSL pinning, the certificate or public key must be hard-coded into the client application. As a result, any changes to the server’s SSL certificate or public key will require an update to the client application.
  2. Adds Development Overhead: Implementing SSL pinning introduces additional development overhead. Developers must ensure that the client application can securely store the pinned certificate or public key.
  3. Limits Flexibility: Pinning an app makes it cumbersome to change the security certificate. To update an Android app, it must be updated and reinstalled by users from Google Play.

6 Summary

Certificate Pinning aims to solve the uniqueness of communication between mobile APPs and servers. In the actual communication process, if the locking process fails, the client APP will refuse all SSL/TLS requests to the server. FaceBook/Twitter use certificate pinning to prevent man-in-the-middle attacks in packet capture tools such as Charles/Fiddler.

Reference

  • https://www.infinisign.com/faq/what-is-ssl-pinning
  • https://cheapsslweb.com/blog/what-is-ssl-pinning
  • https://shunix.com/ssl-pinning/
  • https://yu-jack.github.io/2020/03/02/ssl-pinning/
Feedback